Ryuk ransomware hits several major US newspapers

Walden Systems News - Ransomware - Major US newspapers get hit with Ryuk over the Christmas holidays.
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.

A version of the Ryuk ransomware is the primary suspect in attacks that caused printing and delivery disruptions for several major US newspapers over the holidays. The attack affected printing centers operated by Tribune Publishing and former Tribune Publishing property, the Los Angeles Times. All Tribune Publishing newspapers were affected to some degree by the cyber-attack. The Chicago Tribune, Lake County News-Sun, Post-Tribune, Hartford Courant, Baltimore Sun, Capital Gazette, and Carroll County Times were published without paid death notices and classified ads, according to the Chicago Tribune, Hartford Courant, and Baltimore Sun.

The LA Times cited an inside source at its former mother company who claimed the printing outage was caused by an infection with the Ryuk ransomware. The strain of Ryuk ransomware was first described in a Check Point report published over the summer. The ransomware is primarily deployed in targeted attacks on high value targets with the hopes of profits from companies that can't afford a major downtime. Previous Ryuk ransomware victims include major Canadian restaurant chain Recipe Unlimited.


The Los Angeles Times reported that the attack is believed to have originated from outside the United States, but officials said it was too soon to say whether it was carried out by a foreign state or some other entity. An unnamed source claimed that “The attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information.”

The appearance of Ryuk led some media outlets to rush to connect the attribution dots and suggest that North Korea had attempted to disrupt U.S. newspapers. That's because Ryuk's code shares numerous similarities with Hermes ransomware, as software and hardware IT firm Check Point Software noted in a report released in August. The U.S. government later incorporated that information into its own alert about Ryuk. But Check Point stressed that Ryuk's reuse of Hermes code proves nothing. "The current wave of targeted attacks using Ryuk may either be the work of the Hermes operators - the allegedly North Korean group - or the work of an actor who has obtained the Hermes source code," Check Point's report said.

So far, it's not clear if Ryuk is the work of just one group. In August, for example, Check Point reported two different Ryuk ransom notes: "A longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC ( about $150,000 ), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC ( about $100,000 )." This could mean that there are more than one group behind the attacks. The attacks are a windfall to the people behind them. One cryptocurrency wallet address used in a Ryuk campaign has earned more than $620,000 in bitcoin ransom payments, including a single payment of 100 BTC ( about $380,000). Unlike GandCrab or Dharma, the Ryuk groups are after higher ransoms from a smaller number of attacks.

The high ransoms demanded highlights Ryuk as a cash cow for hackers not a disruption tool. If the Tribune disruption does trace to Ryuk, the headlines may still read "North Korea attacks US News Infrastructure." Regardless of the motive in the Tribune outbreak, one lesson we can all learn is that they must ensure we have the correct defenses in place to not only spot and quickly recover from ransomware, but also to block modes of entry being used by more advanced ransomware cybercrime gangs.